Trojan.Gen.2; Trojan.Gen; Trojan.Zeroaccess.C; Trojan.Zeroaccess.B; Trojan.Zeroaccess

It started with google and other search engines redirecting me to the wrong pages. My Norton 360 showed that it stopped Trojan.Zeroaccess but a notification kept popping up indiacting that Norton 360 is processing threats. Within a few days Norton indicated that it stopped all 4 of the trojans in the title above. Needless to say, my computer is still having problems and Norton says that it stopped the Trojans each day since the beginning of all this. Norton also finds tracking cookies every time it runs a scan.

I cannot post the DDS log because the GMER scan will not complete. The first time I ran it I received a message indicating that "symantic service framework has stopped working. Windows will close program and notify you if solution is available." The next time I ran the scan I received a message that "windows has recovered from an unexpected shutdown" and a message that said "host process for windows service has stopped working and closed".

Thanks in advance for any help that you can provide! Much appreciated!

NOTE: I tried running TDS killer but it found nothing and didn't help either.

I am running Windows Vista Home Premium and I believe it is 32 bits.

-Shiba

Edit: I tried doing the GMER scan again last night and it never seems to get to the screen that I see in the directions thread. See below for what it looks like when I clicked save in the morning after running the scan last night.

MER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-15 07:30:00
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: gmer.exe; Driver: C:\Users\Jared\AppData\Local\Temp\awdoypow.sys


---- System - GMER 1.0.15 ----

SSDT 90790938 ZwAlertResumeThread
SSDT 907546B0 ZwAlertThread
SSDT 9075A500 ZwAllocateVirtualMemory
SSDT 8F7524F0 ZwAlpcConnectPort
SSDT 907930A8 ZwCreateMutant
SSDT 9075A590 ZwCreateThread
SSDT 9075BB90 ZwDebugActiveProcess
SSDT 9076ABD0 ZwFreeVirtualMemory
SSDT 90793178 ZwImpersonateAnonymousToken
SSDT 90793238 ZwImpersonateThread
SSDT 90760A40 ZwMapViewOfSection
SSDT 90768B88 ZwOpenEvent
SSDT 9075A388 ZwOpenProcessToken
SSDT 90768A08 ZwOpenSection
SSDT 90766EF0 ZwOpenThreadToken
SSDT 90771E10 ZwResumeThread
SSDT 9075FC00 ZwSetContextThread
SSDT 90766FC0 ZwSetInformationProcess
SSDT 90766D98 ZwSetInformationThread
SSDT 90768AC8 ZwSuspendProcess
SSDT 907595B0 ZwSuspendThread
SSDT 90760380 ZwTerminateProcess
SSDT 8F7F2948 ZwTerminateThread
SSDT 8F7DC970 ZwUnmapViewOfSection
SSDT 9076ACA0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 350 81ED5974 8 Bytes [38, 09, 79, 90, B0, 46, 75, ...] {CMP [ECX], CL; JNS 0xffffffffffffff94; MOV AL, 0x46; JNZ 0xffffffffffffff98}
.text ntkrnlpa.exe!KeSetTimerEx + 364 81ED5988 4 Bytes [00, A5, 75, 90]
.text ntkrnlpa.exe!KeSetTimerEx + 370 81ED5994 4 Bytes [F0, 24, 75, 8F]
.text ntkrnlpa.exe!KeSetTimerEx + 428 81ED5A4C 4 Bytes [A8, 30, 79, 90] {TEST AL, 0x30; JNS 0xffffffffffffff94}
.text ntkrnlpa.exe!KeSetTimerEx + 454 81ED5A78 4 Bytes [90, A5, 75, 90] {NOP ; MOVSD ; JNZ 0xffffffffffffff94}
.text ...
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A14D480, 0x3C939, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A18E900, 0x3CA, 0x48000040]

---- User code sections - GMER 1.0.15 ----

? C:\Windows\system32\services.exe[736] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: mswsock.dllunknown module: MSWSOCK.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report17364d68

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\svchost.exe.5900.dmp 0 bytes

---- EOF - GMER 1.0.15 ----

Greetings shiba1 and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.


===================================================


Ground Rules:

• First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
• Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
• Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
• Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  
• When you post your reply, do not use the button but use the button instead.
  
• In the upper right hand corner of the topic you will see the button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
• If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
• When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
• I would like to remind you to make no further changes to your computer unless I direct you to do so.
• Now let's get started

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Please allow me some time to review the information you have provided. I will post back as soon as possible.

Greetings shiba1 ,

I would like you to do a few things for me but first I must advise you of the following.


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

• Please download ComboFix from one of these locations:
  
  

  BleepingComputer

  ForoSpyware

• Save Combofix.exe to your Desktop <-- Important!!!
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
  
  Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  
  
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
  Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue
  
• When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply.

===================================================


DDS by sUBs

--------------------

• If you no longer have the program on your computer, please download DDS by sUBs from one of the following links. Save it to your desktop.
  
• Double click on the icon
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Two Notepad documents will open - DDS.txt and Attach.txt. Please copy and paste the results in your reply
• Close the program window, and delete the program from your desktop

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


===================================================


Posting Previous TDSSKiller log

--------------------

• Using Windows Explorer navigate to the root directory (normally c:\)
• Locate the TDSSKiller log which will be named similar to:
  
  TDSSKiller_version_date_time_log.txt
  
• Copy and paste the contents of that document in your reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

• Combofix.txt
• DDS.txt
• Attach.txt
• TDSSKiller log
• How is your computer running?

Thanks for getting back to me. In light of your warnings above I reinstalled the OS. Thanks for your help.

No problem, always the safest bet.

Thanks for letting me know. I will close this thread.

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.